The Mythos Inflection: Why Pre-LLM Identity Stacks Just Aged a Decade Overnight

On April 7, 2026, Anthropic announced a model it refused to ship.

Claude Mythos Preview autonomously discovered thousands of zero-day vulnerabilities across every major operating system, browser, and cryptography library. One was a 27-year-old bug in OpenBSD. Another survived roughly five million fuzz iterations before Mythos found it. In head-to-head testing, Mythos produced 181 working Firefox JavaScript engine exploits; the prior-generation Opus 4.6 produced two. Over 99% of the vulnerabilities Mythos surfaced are unpatched.

Three days later, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell convened an emergency briefing with five Wall Street CEOs. The UK AI Security Institute disclosed that Mythos is the first AI system to solve "The Last Ones," a 32-step enterprise-network attack simulation that typically requires 20 hours of expert human effort. Anthropic launched Project Glasswing with 12 founding partners. One bank is inside. JPMorgan Chase.

For bank CISOs and fraud operations leaders, the question now is not whether the threat model has changed. It has. The question is whether your defensive architecture was built for the world that just ended, or for the one that just arrived.

The 99% Number Is the Real Story

Mythos is a capability demonstration. The structural signal is what happens after demonstration. Over 99% of the zero-days Mythos found are unpatched. That is not a research artifact. That is the current state of every enterprise network that has not been specifically audited against AI-speed reconnaissance.

The attack surface that your identity stack was designed to protect has changed faster than your stack was designed to adapt. The question is not whether Mythos-level capability will eventually be accessible to threat actors. The question is what your architecture looks like when it is.

What "Pre-LLM" Actually Means for Security Architecture

Pre-LLM identity stacks were designed around a specific threat model: human attackers with human constraints. Limited scale. Human-speed adaptation. Detectable patterns.

LLM-enabled attackers operate outside those constraints. They run at machine speed. They adapt in real time based on detection signals. They do not fatigue, do not make careless mistakes at 2am, and do not need the same vulnerability twice.

The identity infrastructure built before this capability existed — document-centric KYC, static biometric matching, rule-based behavioral analytics — was built for a different adversary. It was not built wrong. It was built for a threat model that no longer fully describes the threat.

The Architectural Response

The organizations that will navigate the next 18 months well are the ones asking a different question. Not "how do we add more rules to our existing stack?" but "is our stack designed to interrogate signals at the speed and volume that AI-enabled attacks generate?"

That is a different kind of investment. It is also the one that compounds. Organizations that build dynamic, signal-rich identity infrastructure now are not just better protected against today's threats. They are building the foundation for whatever the next capability inflection produces.

The inflection already happened. The architectural response is the work that is left.